Most environments have more SSL certificates than anyone's actively tracking. They expire on a fixed date, and when one gets missed, there's no grace period. Services go down, and the root cause isn't always obvious right away. Effective SSL certificate monitoring covers more than expiry dates: misconfiguration detection, any TLS port, and centralized visibility across your environment.
Paessler PRTG is an infrastructure monitoring tool that handles SSL/TLS certificate monitoring natively, alongside servers, networks, and applications. No separate certificate management tool required. Coverage includes HTTPS (port 443), LDAPS (636), IMAPS (993), SMTPS (465), and custom HTTPS ports like 8443, with web servers, internal APIs, Windows and Linux services, and Microsoft/Azure-hosted endpoints all in scope. Also part of broader website monitoring and uptime monitoring.
Systematic SSL certificate expiry tracking keeps your services running and your users unaffected. Automated monitoring replaces spreadsheets and calendar reminders with configurable thresholds that alert the right person at the right time. Consistent certificate visibility protects user experience directly. PRTG watches expiration dates across all your configured endpoints and sends alerts based on thresholds you define: warn at 30 days, escalate at 7, or whatever fits your renewal process. All monitored certificates show up in one dashboard with current status and days remaining, covering external sites, internal services, APIs, and non-standard ports, for any validity window.
Expiration gets most of the attention, but it's not the only way a certificate causes problems. Catching a revoked cert, a name mismatch after a server rename, or a self-signed certificate on an internal service early gives you a specific signal to act on rather than a generic connection failure to trace back. PRTG checks multiple health dimensions per endpoint simultaneously: revocation status, name validation, self-signed detection, trust chain status, and public key strength. That gives you specific signals rather than a generic error to dig into.

Ping response and packet loss

Tickets keep your team aligned

Live graphs, real-time performance data
A clean TLS migration means confirming that only the protocol versions you want are still active across every port. Scheduled checks across your environment show you exactly which devices accept SSLv3, TLS 1.0, or TLS 1.1, so you can verify compliance proactively. PRTG runs scheduled protocol checks per device, per port, and shows you exactly which SSL/TLS versions are accepted or denied across your environment. You define what counts as compliant, and PRTG alerts you when something drifts from that policy on the next scheduled check, with no separate security scanner required.
Start monitoring your infrastructure in minutes. No professional services, no complex configuration, no risk.
Certificate validity periods are getting shorter. Google is moving toward 90-day maximums for public TLS certificates, and proposals currently in progress would reduce that further to 47 days by 2029. A monitoring setup built around annual renewals doesn't translate directly to that cadence, but adjusting alert thresholds in PRTG is a one-setting change. The actual renewal happens in whatever workflow you already use, whether manual, ACME-based, or a dedicated CLM tool, with no changes to that process required.

Scheduled reports, always on time

Full device list, instant overview

Probe health at a glance
Here's how the technical side works: the sensor types PRTG uses for SSL/TLS certificate monitoring, how they connect to endpoints, what they measure, how alerting is configured, and what reporting covers.
TASK | Without PRTG Without PRTG | With PRTG With PRTG |
|---|---|---|
Tracking expiry dates | Without PRTG Manual calendar reminders, spreadsheets | With PRTG Automated monitoring with configurable threshold alerts (defaults: 90-day warning / 30-day error) |
Checking for misconfigurations | Without PRTG Manual inspection or when something breaks | With PRTG CN/SAN, revocation, key length, self-signed, checked on every polling cycle |
Covering internal/non-443 services | Without PRTG Often not tracked at all | With PRTG Any TCP/IP port (implicit TLS): LDAPS (636), IMAPS (993), SMTPS (465), custom ports |
Getting visibility across all certs | Without PRTG Scattered across admin panels and systems | With PRTG Centralized dashboard, certificate status per endpoint updated at each polling interval |
Knowing which TLS versions are accepted | Without PRTG Manual probe tools, run on demand | With PRTG SSL Security Check sensor, continuous per endpoint |
Choose the PRTG Network Monitor subscription that's best for you.
| License Name | License description | Price | License Details | Get started | Pricing Details | |
|---|---|---|---|---|---|---|
| PRTG 500 | $200 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 50 devices | ||
| PRTG 1000 | $358 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 100 devices | ||
| PRTG 2500 | $742 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 250 devices | ||
| PRTG 5000 | $1,300 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 500 devices | ||
| PRTG 10000 | $1,642 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 1000 devices |
The "Days to Expiration" channel is where most people start, and where you configure warning and error thresholds. PRTG defaults to 90 days (warning) and 30 days (error). You can stack multiple triggers on the same channel if different teams handle renewals at different lead times.
Beyond expiry, the sensor checks Certificate Name Validation (CN/SAN match against host or SNI), Revocation Status, Signed By, Self-Signed detection, Public Key Length, Public Key Strength, and Downtime. For name validation, SANs are checked first; CN is the fallback if no SAN is present.
As early as you want. The "Days to Expiration" channel accepts any threshold value you set. PRTG defaults are 90 days (warning) and 30 days (error), but if your renewal workflow needs 120 days of lead time, set it there. Stack multiple triggers to send a first notification at 60 days and escalate to a second contact at 30.
Yes, though there's one constraint to know before you start: the sensor requires an immediate TLS handshake (implicit TLS). Services that use STARTTLS, where the connection starts unencrypted and upgrades, aren't compatible. Port 587 is the typical example of a port that won't work. For everything else: LDAPS on 636, IMAPS on 993, SMTPS on 465, custom ports like 8443. All fine.
No. PRTG monitors certificates, it doesn't manage or renew them. Renewal stays with your existing process or tooling. What PRTG does is give you enough lead time to act before the SSL certificate expiration date becomes a problem, and make sure nothing slips through unnoticed in the meantime. The monitoring part is covered. Renewal stays with your existing process.
The stable SSL Security Check sensor probes a specified port using SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3, and reports which versions the endpoint accepts. By default, TLS 1.2 and 1.3 must be accepted and the older versions must be denied. Any deviation triggers an alert. That covers most environments without configuration.
Still, if your environment intentionally accepts something the defaults would flag, the SSL/TLS Security Check BETA adds configurable expected results per protocol version. You define what "pass" means for each version on a given endpoint. Enabling it requires PRTG's Beta Sensors to be turned on. Go to your PRTG settings and enable Beta Sensors before deploying.
Yes. The sensor connects over the network to a TCP/IP endpoint. No agent needed on the host. Works with services on Linux or Windows, on-premises or cloud-hosted, including Azure.
PRTG is licensed by sensor count. Each SSL Certificate or SSL Security Check sensor uses one sensor from your license. No separate module, no add-on. Certificate monitoring is part of the standard feature set.
You can try PRTG free for 30 days, no credit card required. Full access to all features, including SSL certificate monitoring.
Network Monitoring Software – Version 26.1.116.1532 (February 9th, 2026)
Download for Windows and cloud-based version PRTG Hosted Monitor available
English, German, Spanish, French, Portuguese, Dutch, Russian, Japanese, and Simplified Chinese
Network devices, bandwidth, servers, applications, virtual environments, remote systems, IoT, and more
Choose the PRTG Network Monitor subscription that's best for you